Today, there are many solutions available for user authentication on mobile devices. These solutions vary in the nature of how users are authenticated. Some use password for authentication; others use pattern, biometric or facial recognition.
These solutions also vary in the context of how the users are authenticated. The user authentication occurs either at the device level or at the application level. Device level authentication authenticates whether a user is a valid user of mobile device thereby establishing ownership. Device level authentication generally uses knowledge-based mechanisms like PINs, passwords and visual interfaces. This knowledge-based input might be more time-consuming and exhausting to the user. Application level authentication, on the other hand, authenticates whether a user is a valid user of an application installed on the mobile device.
Alternative approaches to device level user authentication are stroke-based mechanisms using a touch screen. This approach may be regarded as an extension to the knowledge-based authentication with the difference that the user remembers a shape of strokes than a number or a password. The user enters the shape by applying a sequence of strokes rather than using a number or password.
Another alternative authentication method is to use graphical passwords. A graphical password does not consist of digits and letters, but of one or more images (e.g., an automobile, a shoe, a horse, or a parking meter). One approach is to select a correct sequence of presented images or alternatively to locate special points in a presented image. Graphical passwords can be used on mobile devices, but require a certain screen size and resolution, and a sufficient method, such as a cropping function or the like, to select the images or points.
In general, application level authentication requires the user to enter at least a password, if not a user name as well, every time the application is started. This type of authentication presents limitations in terms of usability as well as security. For instance, users often need to enter complex usernames and/or passwords manually on mobile devices that often have a small screen size. In addition, password authentication also presents a security limitation as the application needs to store the password and possibly the user name somewhere on the mobile device for verification.
Biometric authentication is becoming more common on mobile devices for device-level authentication. Current mobile applications, however, do not support biometric technology as a method of application-level authentication. The device-level biometric authentication does not establish whether a user is a valid user of a mobile application installed on the mobile device. For example, if user Annabel uses her fingerprint to gain access to her smartphone, it just proves that Annabel is a registered user of the smartphone, and does not automatically guarantee that Annabel is a valid user of the banking mobile app installed on that smartphone. The banking application instead may still require user input of a user name and/or password.
Hence a need exists for a mobile application-level biometric authentication system and method that uses biometric technology offered on a mobile device in the same manner that a smartphone allows users to unlock their mobile device and establish device ownership or authorized use of the mobile device.